Making a secure and clean system on a box (or board) requires some amount of trust. To make that trust as small as possible, there are steps you can take. At the extreme end of things, you run your own sources server and compile from those known pristine sources to make a new box. Then your “trust” consists of trusting that the sources you downloaded and any updates are in fact clean. This depends on them not being intercepted via a “Man In The Middle” during download AND that the originator is trustworthy. A similar case exists if you are NOT building from source.

Now generally you can trust that the Unix / Linux community is just paranoid enough about Authority and Intruders that they put great effort into assuring their sources and their pre-compiled binary systems are pretty much clean. Unless you choose to be a Systems Programmer & Developer yourself, that is the article of trust you accept. Since it is known that there are “many eyes” looking over the code and any “random” can take a look, it is hard to do too much illicit and not get caught eventually.

For that reason, I have chosen to draw my “line of trust” at the system vendor for open source products. I simply can’t look at the sources for every line of the system. I must trust that someone else has. This is part of my disdain for “systemd”. It comes from ONE vendor and looks like maybe at most 2 or 3 guys know how it works, only one of them the main programmer, and I don’t trust his “style” of doing things. Centralized. Somewhat opaque. Red Hat sells a LOT to government; I could easily see them giving in to a request to put some special sauce inside systemd. So no, thank you very much… It is arcane enough that few folks will look at it, and fewer still understand it, and fewer still of them catch a subtle ‘trick’ hidden in it. Hard to hide such tricks in the small codes of The Unix Way. So my line of trust is drawn at the Devuan Developers. They have demonstrated the appropriate level of concern about such things.

So I need to be able to download copies of the Devuan binary image files, and stuff them onto media, to make my systems run. This means I have to put a another line of trust at “I trust my Build Box to do the Building”. So how do I make sure my Build Box is itself clean and not contaminating other systems built on it? It’s a two step process.

First, take a very clean chip with a Linux on it. Most any one will do. For example, running NOOBS and making a generic boot chip for the Raspberry Pi, or doing a ‘clean install’ onto a PC, or even just booting a Knoppix CD on a PC as it is “clean every time”. Using that is pretty much guaranteed to be clean system, you build your Build Builder system. This process picks up at that point. I’m assuming you have a newly made Linux chip you can stuff in a Raspberry Pi or similar system that can run a download from the web and do a couple of basic Linux commands like “file” and “dd”. I’d even be OK with using a Mac or Windows box to do this step, as then any infection on them would need to “cross architectures” to get into the build process, and that is very rare.

I’m leaving it up to you how to make your “bootstrap build box”. If in doubt, just do a NOOBS install on a Pi.

So, with a “most likely clean” bootstrap build system, we download a Pristine Image file from the vendor. In this case, I used the Devuan site directly. One could choose to use one of their mirrors, too. I just launched the FireFox-ESR browser and went to:

As noted in earlier discussions, the 64 bit build is still a bit buggier AND is quite a bit slower on lots of web pages open as it swaps a LOT more for the same pages. So I’m sticking with the 32 bit build for now (and likely for at least a year to come).

That download gives you an xz file, so you need to unpack that. This uses the unxz command.

unxz devuan_jessie_1.0.0_armhf_raspi2.img.xz

this gives you:

devuan_jessie_1.0.0_armhf_raspi2.img

as your Devuan image. There is also available the SHA checksum of the file and you can download them and compare to be assured nobody swapped the bits in your binary.

SHA256SUMS
SHA256SUMS.asc

That lets you NOT trust your telco and other folks who might want to give you some bogus bytes. If really worried, you can download the checksums at one place (like Starbucks or the library) and your bits at another time at home. Your “attacker” would need to bugger both downloads to different IP addresses in different places at different times in order to pull off a “Man in the Middle” on the download itself. Personally, I’m willing to trust my https encrypted connection; but depending on “what is at stake” for you, draw your line of trust where you are comfortable.

OK, to summarize where we are at this point:

On a “pretty clean” new system, you download and unpack a trusted binary image from a trusted site and check the SHA code to assure it got there as the vendor intended. Now you don’t do any OTHER internet activity AT ALL with this system. It is ONLY for that one download and making the first Build Builder. If seriously concerned about “other web intrusions” via the browser, you can instead use a command like “curl” to do that download. This cuts out trusting the browser maker…

Next, you put that image onto a micro-SD chip. I use a Targus SD to USB adapter sold at Walmart. It’s cheap and it worked. Just put the SD card in it and put that into the USB connector of your system. Then, make sure it is NOT mounted. On Linux, it will usually mount it as something like:

/dev/sdd1 130798 21620 109178 17% /media/chiefio/BE59-395A

This means you need to unmount it so you can overwrite it.

umount /media/your-id/thatSDsystem

You will have a different user name, possibly root, and the particulars of the file system name change with the chip vendors.

Do also note where it came from. I got “/dev/sddx” but you might get /dev/sda or /dev/sdc or who knows. This matters a LOT as that is the target for your image. So, in my case, I’d use /dev/sdd as my target. Notice I’m not using the “1” or any other number. No partition numbers need apply, You are using the whole card.

So once it is unmounted, for sure, and you know the device name, for sure, issue the command:

It is rare, but some systems may not like the 10 Meg block size. If so, you can leave that out, or just make it some other number like 1M. Bigger is more efficient, until it doesn’t work ;-) You will also change the ‘x’ in that device name to the letter you got on your system for the SD card. DO NOT GET THAT WRONG as the target device will be overwritten and obliterated. Not a big deal if you followed the guidance to make a “one off” build box with a new or disposable system; but a very big deal if you do this on Your Only Office System…

This stuffs a Devuan Image onto the chip and you are now “good to go”. ALMOST.

Devuan does NOT (yet) grow the root file system to fill the SD card at boot time. So you have a 1.9 GB or so system on your chip. In my case, I used a 64 GB micro-SD card. That left about 60 GB unused and unusable. I discovered this when attempting to update and add programs to the system and ran out of disk…

There are many line commands to grow that file system. I find it MUCH easier to just use “GParted” on Debian / Devuan / Other Linux. It is the Graphical Partition Editor that lives under “preferences” in the menu of Debian for God Only Knows what reason. IF it isn’t there, do an “apt-get install gparted” to get it. Launch it. It takes a while to fondle all the disks (another reason to use a one-off bootstrap build box without disks) and present the images of partitions. The SD card ought to be the last one listed and have an ext4 partition of about 1.8 GB, and then the rest of the chip marked ‘unused’. Select the ext4 partition,

On the Pi, your working operating system has names for partitions like mmcbblk0p2 while the SD card ought to be named something like /dev/sda2. (sda1 ought to be type FAT and has the boot bits). Just right click on the ext4 partition, select resize/move from the dropdown, and set the empty bytes in “freespace following” to zero. You may need to click the cursor into another one of the size fields after typing so it updates the fields. Then click on the resize/move button. You might think you were done, but no. NOW you have to tell it to really do what you have queued up… A little ‘right arrow’ button up top turns green. Click it to actually do the resize. This can take a while to complete. When it is done, exit.

You can now mount that partition onto a Linux box (so I like using a Pi to do all this…) and I have an entry in my /etc/fstab file just for SD cards:

I make a directory /SD, and two sub directories /SD/ms and /SD/ext as mount points. Then I can mount the FAT partition, or the ext partition, as desired. Note I have the FAT partition commented out. Notice too that I added “labels” to those partitions when in GParted. It makes things much easier. There’s a “label” option in the menues. IF you chose to make a swap partition, then I’ve allowed for that in the fstab entry too. So mount the ext file system:

mount /SD/ext

and now you can put things in it that you will use later to finish the system build. Like a copy of the “Build Builder” script down below, or any particular configuration files you already know you want. Like /etc/network/interfaces or /etc/fstab copies. I made a directory Systems_Archive and put the stuff in there:

Now, at this point, you have a clean, new, from the factory Devuan Image on a fully available SD card. You have your build script, your pristine binary image, and any other stuff you might want for configuration on it. Shut down and put this chip into your PI, boot it up. You will be met with a blank black screen and a login prompt. The root account has the default password of “toor”, so log in.

I immediately do two things. Change the root password with the passwd command, and “apt-get install file” as the “file” command lets you inspect disk partitions to know what’s on them before you do anything with them, like attempt to mount them.

You can see that using the -s option is the one you want. Here you also see how that Lable can be handy. It declares itself to be the “SD_builder” partition…

Ok, You have booted up, changed the password, and have in place a copy of the pristine image file and the build script. Next you run that build script to put all the other software you want in this running copy of the system in place on it. Like a windows environment. I used LXDE. So really it’s just “run the script, answer some questions about things like keyboard type, and reboot”, then you get your graphical login.

The Script

Here’s my Build Builder script. Notice all sorts of things are MISSING from it. No mysql data base, no apache server. I could likely cut it down even more, but this is what I find comfortable. Remember that the purpose of this chip is to just be a clean uncluttered AND ISOLATED USE CASE system just for building more systems in a clean and secure way. Think of it as a ‘clean room’ system when running. The ONLY time it ought to be reaching to the internet is to… well, maybe set the clock. I suspect it could be run with ethernet entirely shut off.

So here’s my script:

root@Headend:/SD/ext/Systems_Archive# cat Build_Builder
echo " "
echo "Download a compressed image file from a Devuan Mirror such as"
echo "https://files.devuan.org/devuan_jessie/embedded/"
echo " "
echo "copy the downloaded Devuan PiM2 32 bit image to a work space"
echo "on local media, then uncompress it with:"
echo "unxz devuan_jessie_1.0.0_armhf_raspi2.img.xz"
echo " "
echo " Once uncompressed, copy it to an SD card (assumed mounted at /dev/sdd)"
echo " "
echo "With a command like: "
echo "dd bs=10M of=/dev/sdd if=/path/to/devuan_jessie_1.0.0_armhf_raspi2.img"
echo "It is now a runable Devuan with root:toor account:pasword"
echo "BUT: It's only about 1.9 GB for the file system. Next use GPartd"
echo "Which for unknown reasons is under preferences in the Debian menus"
echo "Make sure the SD card is not mounted - do a df and look for it"
echo "Select the ext4 partition on the SD card and choose to expand or grow"
echo "it into the rest of the space on the card."
echo "You now have a runable Devuan. Put it in the machine and boot it"
echo "Then run the rest of this script once logged into that chip as root"
echo " "
#
# In general, I'm encapsulating what all I did in these two postings as a script:
#
# https://chiefio.wordpress.com/2015/07/18/raspberry-pi-m2-unboxing-and-setup/
#
# https://chiefio.wordpress.com/2015/07/22/raspberry-pi-software-setup/
#
# and updating it for how to build a Pristine Build System
# If you didn't already change the password while booted up,
# when done, log in as 'root' password 'toor'. Change the password.
# passwd
# and respond with the new one when prompted.
#
# To properly inspect disk partitions, you need the file command. So as soon
# as booted, type in apt-get install file
# for use looking at partion types and content.
# but if you didn't, or won't, I'll do it here:
echo " "
echo "apt-get install file"
echo " "
apt-get install file
echo " "
echo "Also, to change the name of your machine, edit /etc/hostname and make it"
echo "what you like. "
echo "Here, I'm going to just set mine by brute force write to the file."
echo " "
echo "echo 'Builder' > /etc/hostname "
echo " "
echo "Builder"> /etc/hostname
echo " "
echo "Next, do the 'usual' update upgrade that brings you up to the present"
echo "repository status (need a network connection from here on out)"
echo " "
echo "You can either put 'sudo' in front of each of these commands, or just "
echo "'become root' which is what I usually do. Since only the root account"
echo "exists at the moment, the sudo is not needed here."
echo " "
echo "sudo bash"
echo " "
echo "then run this script with ./Build_Builder (assuming you didn't change the name"
echo "and that you are 'in' the directory where it is located.)"
echo " "
echo "apt-get update"
echo "apt-get upgrade"
echo " "
apt-get update
apt-get upgrade
echo " "
echo "Install LXDE desktop"
echo " "
echo "This takes a very long time, like about an hour, but installs a lot of"
echo "other things, like Python and wicd, so gets them out of the way early"
echo " "
echo "apt-get install lxde"
echo " "
apt-get install lxde
echo " "
echo "Start doing useful operational 'packages'. "
echo " "
# This gets the useful tools like "nslookup" for looking at Domain Names
echo " "
echo apt-get install dnsutils
echo " "
apt-get install dnsutils
echo " "
echo "Scrot is a tool for taking screen shots by saying 'scrot' in a terminal"
echo " "
echo " "
echo apt-get install scrot
echo " "
apt-get install scrot
# Normally I would install "build-essential" to get things like C compiler
# and some language tools, but they were already installed on the R.PiM2.
# Doing it on the Devuan just to be sure.
apt-get install build-essential
echo " "
echo "To get NTFS disks (like USB or an NTSB formatted SD card in adapter) to "
echo "work 'read write' instead of just 'read only', you need ntfs-3g"
echo " "
echo " "
echo apt-get install ntfs-3g
echo " "
apt-get install ntfs-3g
echo " "
echo "Want an NFS (Network File System) server so you can share disks with"
echo "your internal network? This will install the code, then you get to"
echo "configure things like /etc/exports. Optional on a pritine build box."
echo " "
echo " "
echo apt-get install nfs-kernel-server
echo " "
#apt-get install nfs-kernel-server
# prior to first use. Or reboot.
# In your /etc/exports file, put something like:
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
# /YourFileSystem *(rw,sync,fsid=0,no_root_squash)
# But without the # in front of YourFileSystem... and with your file system...
# Remember to do a
#echo " "
#echo "Restarting the appropriate services so NFS will work"
#echo " "
#echo " "
#echo service rpcbind restart
#echo service nfs-kernel-server restart
#echo " "
#service rpcbind restart
#service nfs-kernel-server restart
# To make the box a static IP number, you will need to
# make this your own server name and IP numbers in the file:
#
# Here's my /etc/network/interfaces file with leading # to make it comments.
#
# I will make this a "dump these lines in to replace" in my running version.
#
echo " "
echo "Remember to make your /etc/network/interfaces file have a static IP#"
echo "If you are going to be using PXE boot and such"
echo " "
#auto lo
#iface lo inet loopback
#auto eth0
#allow-hotplug eth0
#iface eth0 inet static
#address 172.16.16.253
#netmask 255.255.255.0
#gateway 172.16.16.254
#dns-domain chiefio.home
#dns-nameservers 172.16.16.254 192.168.1.253 192.168.1.1
#
#auto wlan0
#allow-hotplug wlan0
#iface wlan0 inet manual
#wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
#
#auto wlan1
#allow-hotplug wlan1
#iface wlan1 inet manual
#wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
# Don't forget to do a
# ifdown eth0
# wait a minute for it to quiet down
# ifup eth0
# As I want this to be a DNS server, DHCP server, and PXE server (uses a
# tftp or "Trivial File Transfer Protocol" server, all of those can come in
# one package with dnsmasq.
#For misc odd file system types you might want, you need to install them:
#apt-get install btrfs-tools xfsprogs f2fs-tools unionfs-fuse
#apt-get install hfsplus hfsutils
apt-get install squashfs-tools aufs-tools
#
echo " "
echo "And that's the end of my present install build process."
echo " "
#
# There are several files to edit and configure. Eventually I'll add a
# "here script" to dump them from this script to where they belong, or
# I'll just save a copy and have a 'save / restore' copy process.
#
# Once I get everything configured ;-)

I’m going to be doing experiments with running from squashfs copies of /lib and /usr as just one more layer of paranoia. IF anything gets in, it can’t change the read-only copies in squashfs format, only the running bits are at risk. But if not doing that, you don’t need that last line with squashfs in it, or if doing things with Macs, you can un-comment the line with hfsplus and hfsutils.

I also left in a long block with the nfs and network interfaces stuff, but commented out. Just so it’s documented how to do it if, for some reason, you needed it. I’m not going to be doing that on my Build Builder.

After The Script

I’m now making a clean backup of the chip at this stage. Just a “dd” into an archive. I can now recover to this very clean state at any time. In the process, I have only really trusted my bootstrap builder to be mostly clean and my vendor to have clean images. I’ve slightly trusted my telco to not send me to a bogus site with fake binaries (but I know ways to fix / test that if needed). Not a very large circle of trust for this chip / system.

This chip may need some configuration, or may not. Building systems depends a lot on being root, so I don’t really need to add any non-root users. IF you feel more comfortable NOT being root all the time, add one and use “su” to become root as needed.

At this point, I’m just going to be slamming that pristine Devuan “image” file onto two more SD cards. Upsizing them to use the whole card, running my basic user system build script on them, adding my “usual user” account and any network customizations and security enhancements, and then using them for dedicated purposes.

1) Dirty Driver: A basic Devuan on an 8 GB (or maybe smaller) chip for the purpose of doing general web browsing of anywhere. Crap crawls into the chip, I don’t care. After it is built, but before first use, I’ll “dd” an image of it into Systems_Archive. Then after each use, I’ll ‘dd’ that image back onto the card. Flushing any bad bits as I go. Bits only flow one way, from the pristine saved image onto the Dirty Driver card.

2) Financial Stuff: A basic Devuan used for things like any online activity for any site with money involved. Like Paypal or online banking (that I don’t like, but I’m getting pushed into it). NEVER for any general purpose web activity.

The Dirty Driver will only be used on the Telco Router network side, so never exposed to my interior network. IF it ever gets infected with anything, it can only hit the Roku on the TV (which seems immune) and the Telco router (that isn’t my problem). But it is most likely going to be flushed before anything bad has time to happen.

The Financial Stuff system will only be used on my private network side and ONLY for 2 or 3 particular sites. As they are highly trusted, this lets me limit my circle of trust to only them. Isolated from the un-trusted stuff on the Dirty Driver. I may, or may not, re-flash this system from the saved image, depending on my level of concern.

The Build Builder just sits on the shelf, never talking to anyone. Never being exposed. Only booted to put those trusted bits onto system cards to go into other systems.

MAYBE, in a year or so, a new updated binary downloaded to it and repeat the system build process, but really, I could just re-flash the chips with their saved image, do an apt-get update and apt-get upgrade, then “dd” that updated image back to Systems_Archive as the new image. Since that would start from a re-flashed chip, the history of use and exposure would be unable to crawl back up with the update copy; as that is only trusting the Devuan vendor site.

In this way, I’ve got clean isolated and most likely safe and pristine system images to use. Any “bad thing” that crawls in can NOT get into my off line disks, nor can it get back “upstream” into my build process. It gets flushed out before the next use. I’ve also put a hard wall between my Interior Office Work on my Daily Driver, my Financial Transactions, and my Dirty Driver exposures. Fire breaks and firewalls all around. Minimized circle of trust on the build process, and isolated circles of trust on Financial, Lab Work, and Public Internet uses.

And that, boys and girls, is a big part of how I keep my systems clean and healthy in a hostile world.

31 Responses to Making A Pristine Build Builder

I looked at your script, very easily followed with Progress verbosity. The whole workflow and rationale is very well thought out. Respect!

Two questions: 1) bash? 2) I know its personal coding style, but what is the purpose of putting a single space in double quotes to create what look like blank lines on a display? I am suspecting its part of a coding procedure, something like yanking/ pasting a block of 3 or 4,and just starting to type where the space appears on one of the lines.

I’ve recently gotten out of the habit of using double-quote pairs for echo, unless I want to control spacing/formatting for some reason, i.e., taking advantage of the -e flag, and embedding leading \n or \t.

1) bash is the default shell in Linux. Bourne Again Shell, IIRC. Came about when AT&T was trying to sue folks for anything Unix related, so sh was rewritten in a clean room way. It’s basically sh without legal risk. I’ve also used csh, but it has odd syntax in scripts, and ksh, Korn Shell, that’s sort of sh++ ;-) but not used tsh (that seems to come as several different things from “tiny shell” to “testing shell”) nor tcsh.

2) I like to make things explicit. By putting a space in double quotes it is highly clear that I’m deliberately printing exactly and only a space. Didn’t forget anything. It also makes it VERY easy to add text later and not end up with a missing close quote. Just pick a “blank” line and start typing between the quotes. Having had non-matching quotes bite me too many times, I just make it a habit to always ALWAYS have matching quotes. I like white space for presentation and readability. So put empty lines around things.

Per using flags: Noobies have to look up what flags do. By adopting “minimal complexity” usage it makes it easier for new folks to see what’s being done. i can write “Obfuscated Code” if needed, or just to be a pill… but have mostly focused my style choices on minimal complexity, subset of options (and don’t need to worry about flags changing in future releases), and clarity to the uninitiated… or me when I come back to something I wrote 2 decades ago on an operating system no longer on this earth…

Basically, don’t think of this as “code for programmers” but as “code for education”…

Oh, and glad you liked it ;-) It’s how I work when I’m doing Real Work …

@All:

My Odroid XU4Q arrived in the mail today. Looks like their 4 to 6 days for USPS was way off and it got here in about 2 days. I hope to have it configured and running by tomorrow. I’ve already added the odroid image to the Build Builder ;-)
devuan_jessie_1.0.0_armhf_odroidxu.img.xz

It has a MONSTER heat sink on it.inch and a half square and one inch tall! ( 2.54 cm tall and about 7.6 cm square for those who are fraction challenged or imperial non-literates ;-)

On the Build Builder, I needed to install gparted so add to the script:

apt-get intall gparted

Also decided having Firefox was an OK risk as long as I limited it to only vendor sites (i.e. I’m too lazy to swap chips that often and can’t run two headful machines at once) so I also did an:

apt-get install firefox-esr

On the Odroid front, I tried booting from the Devuan U3 image (as it is supposed to be software compatible) but nothing booted. In order to sort out “my setup” vs “OS”, I’m downloading the vendor image along with a user contributed minimal (i.e. no windows manager) Debian. Worst case is I do the Debian, then the Devuan upgrade path.

I’m going to try the vendor Ubuntu next, just to make sure I know how to set up the hardware and get something running. There’s a little switch on one edge to tell it to boot from SD vs eMMC and that wasn’t set right. Then there is a ‘power switch’ like a 2 mm plastic dowel sticking up on the side. It both presses in and wiggle sideways, so unclear how to know if it is ON or OFF. I tried several movements. So for now I’m assuming I need a “real” U4 image…

Now that’s not nearly as bad an impact as when running on the Pi, since this thing has 8 cores and 4 of them are way fast at 2 GH. It is also running with a GB of memory free and no swap needed… Now, after the first few minutes of running, that 100% CPU core suckage has ended.

Oddly, the MATE Monitor shows activity on all 8 cores. Some idle down to zero when load is light. I suspect it’s showing usage average for the whole sample period. But it IS odd to see 8 cores…

Well, now that I know it works, I guess I’ll proceed with trying the Debian Minimal to Devuan upgrade path…

Two “quirks” to note:

1) It has a red LED to let you know power is applied. The micro-joystick power switch seems to only shut off (default on at boot) maybe… Once up, there’s a bright blue LED that flashes rhythmicly. I think it is what they call the “heartbeat”. Nice to know it is working, but a bit annoying at the edge of the visual field. May need to find if there’s a way to shut it off, or get some nail polish ;-)

2) At first boot, it showed the login splash for a second, then seemed to crash. I suspect it was doing some kind of setup housekeeping and then does a shutdown. Next boot it was fine and has been since. (Maybe I ought to read the ‘what to expect at first boot’ documentation or even the users guide ;-)

Even at low load, the heat sink is hot to the touch. Then again, “light load” seems to be about 45% to 60% load on all four of the bottom row of CPUs (5,6,7,8) and a few percent on the top row. Don’t know yet which are the high power and which the low…I think the bottom row are the A-7s so lower power / heat. Total CPU in “top” is showing about 75% idle; but who knows if it can properly handle the Big/Little thing.

OK, I’m thinking this is a nice fast box, but needs an operating system with a lighter touch than Ubuntu and a windows manager I like, like LXDE ;-)

For now, I’m going to hang onto this Ubuntu image just in case the other path doesn’t boot, but I’m just not really enamored of the “protections” and “automation” that comes with it. Too much stuff to turn off to stop the data leakage and system fiddling… Like right now I’ve got a “nag message” from FireFox that “You should restart FireFox now to install updates”… but I didn’t request any updates…

Oh Well. It’s done its job and shows the system works, and is very fast. Now on to the devo and making comfortable steps.

Do note that even with a fat Ubuntu, it’s running without notable lag time and quite faster than the Pi M3. It is a credible desktop machine just as is and even with this particular resource hungry OS.

EM, I use Ubuntu MATE on an XU4 and a 4 core AMD desktop. The XU4 is slightly slower than the desktop, but I believe it to be due slower IO. When the next version of the XU series comes out I will probably move that to my main machine.

That’s the general impression I’ve got from my first hours using it. The thing never had me waiting, was crisp and snappy in “feel” yet the cores were almost never at 100% (other than the one updater thing). Even then, I only knew that process had pegged a core because I’d opened the MATE Sytem Monitor panel and saw it. On other systems that process has caused first bootup to feel painfully bogged down. (Single core x86, Pi M3, and an older AMD64 box with one fast core I think).

My only complaint about Ubuntu/MATE, really, is that it goes out of its way to be “not my style”. I want known control via the same line command processes I’ve used for decades. It is designed to be GUI driven configration and control with systemd under the skin (so all my manual control knowledge is wrong…) and hide everything operational. I want a half dozen terminal windows open and not much else most of the time, it is all about window sugar. I want nothing to happen without my knowledge, it is designed to just make everything happen (like software updates) without you doing a thing or even necessarily knowing. They also build it fat (options chosen for more glitz at the expense of hardware demand) while I like slim minimal resource high hardware efficiency builds.

In short, it is aimed at making a more “PC like experience” with the vendor in charge; while I’m all about a more 1990 Unix Server experience with me in charge.

So it’s as much about me, as them…

I can see why other folks like it. Just ignore all the admin stuff and use the applications. Security updates fast and without even knowing you needed them or how to apply them. I just wish I could be that way, but I can’t. Too many years running the back room…

An example of why I can’t: I mentioned the browser update I’d not requested that was pending last night. Well I restarted FireFox, it applied, and now FireFox crashes on launch. Tried a bunch of stuff but no joy. Even remove and reinstall by hand with apt-get. Now in my world, I get the system to known stable state, make a backup image, and then and ONLY THEN, do any update process. Easy rollback on a bad update. Since I never got that chance, I now either start over on the system install, or wait a few days to see how fast they fix it… Now immagine you have 3000 engineers all calling YOU on the support hotline demanding you fix their FireFox NOW as it is critical to getting their job done… been there, done that, got the scars… never again… thus my tightly controlled rollback and updates process.

Oh Well….

So I’m stuck with doing things my way. That means more sysadmin friendly but manual control, back room server like, and old school. But for a home user wanting minimal OS engagement and mostly using GUI driven applications, who doesn’t mind their box chatting to various vendors about use and status and software updates, it would likely be very attractive.

Kind of like my Android Tablet or the Chromebox. To me it really is just a no fuss browser and portable internet TV appliance, I turn off as much auto stuff ss I can but just make sure nothing highly secure is kept on it. Dont even try to use it for “Unix like stuff”.

Well I restarted FireFox, it applied, and now FireFox crashes on launch. Tried a bunch of stuff but no joy. Even remove and reinstall by hand with apt-get.

Firefox did something that broke it for twitter on the windows side too yesterday. Suddenly yesterday when I tried to go to twitter, it would automatically redirect to mobil.twitter.com thinking I was not on a desk top but on a mobile device like an iPad.

I ended up uninstalling and re-installing it, and disabling all the add ons. That fixed the redirect but now it will not respond when I click the logon button – it just stares at me and does nothing.

Twitter works just fine on bluemoon or brave browsers so Firefox broke something with their most recent update.

Like you say nice to have some manual controls, and in this case several different browsers installed already to allow you to determine it is their problem not your system that is screwed up.

Iuninstalled firefox, re-installed it and after it came up a little banner window popped up at the bottom of the screen.

“We noticed you reinstalled firefox would you like to refresh the install?”
The refresh removed all addons and took the browser back to default settings.

I accepted the refresh and then did a reboot and now firefox works on twitter again.

I never mess with advanced firefox settings and had not made any recent changes so their last update to version 55.0.2 64 bit for windows on 8/16/17 must have clobbered some settings that required the refresh to fix it as the first attempt at reinstall did not work either.

Not directly related to your pristine builder but a good example of how auto updates can get you in a jam through no fault of your own.

I’ve got a generic Debian running on the Odroid XU4. The hard part was getting lxde to load and go. Still have one odd error message (that looks like it is systemd related as it is unhappy about some web site name not being in a .service file), but I’m typing this from FireFox on it!

I’ll put up details once I have the thing to the state I want and have a Build_XU4 script written up.

What I’ve noticed already is that even running the browser and a couple of status windows, I can grab the heat sink and it’s warm but not “ouch hot”. CPU running about 95% idle even as I type this. Yowsers this thing is fast with a light OS and display running on it!

I’m going to shut down, grab a backup / recovery copy, then reboot and continue configuration. (Not a good idea to be web browsing as root, even to my own site ;-)

I’ve now “moved in” with my own account and home directory. Along the way, found that one of the disks with an ext4 file system is not like the others and causes an infinite hang at boot time. (Boot other system, mount SD card, edit /etc/fstab to comment out entries, reboot…)

No idea at all why. Here I thought ext4 was the same everywhere…

So, at this time, I have a fully functional General Purpose Debian running with my home directory and account working as expected and a GB of swap on “real disk” (totally unused…)

I can now begin a real evaluation AND do the write up of “stuff found”. Then, maybe in a day or two, proceed to that “make a backup and try the Devuan Upgrade process”…

As of now, my general impression of it is “Great Fast Board that would benefit from a cleaner more lean and stable OS image with GUI already running”.

As is typically the case, when your installed user base is narrow, there’s less choice in “ready to rumble” software and more things that are a little glitchy (like the disk issue).

Sounds like a promising option for a legitimate desk top non-windows, not intel system.

So I take it you are running the non-systemd Devuan fork of Debian or just a generic Debian release at this point?
(just to verify I didn’t miss something), at the top of the page you are talking about Devuan and here in the last post just referring to Debian.

I first tried the Devuan binary image for “U” processors. The XU4 is supposed to be “binary compatible” with the XU3. It would not boot. ( I presume something in the boot config is different, even if the processors match, some driver or detail is wrong. MAY be able to mate the U3 Devuan with an Ubuntu boot process…)

Then I tried the straight Debian based Ubuntu designed and built for the XU4. It works well, but is a Fat Pig and offends my “ME in charge” sensibilities.

That just leaves using a Debian and “upgrading” to Devuan as the open path. So that’s what I’ve tried now. So far, I’ve installed the “User Contributed” Debian image (link above I think) and then configured it for my account and my disks and my general environment, but not YET doing anything Devaun. It has shown itself to work, more efficiently than Ubuntu, and reasonably well; EXCEPT that it isn’t happy with one of my disks (despite it being ext4) and launching a video hung the system. OK…. So maybe, just MAYBE, when I do the “convert to Devuan” (that I’ve not done yet) some binary swaps will “fix it”.

Expect that some time, way late tonight or maybe tomorrow, I’ll put the Devuan site in the apt config files and do that “swap my Debian over to a Devuan” and see if it works better ( I expect it will…); but that has not been done yet.

At this point, I really really like the hardware, but think it needs a broader set of really quality ported and QA regression tested operating system choices.

So unless the Devuan “upgrade” gets the bugs down, it looks like either running Ubuntu, or doing a build from sources and being a developer is the only way to make this a really good system… So I’m betting (hoping) the Devuan upgrade / conversion gets the bugs out…

So, OK, I can always use it as a distcc node in the cluster and it would be a great one; but I’d rather have it work well as a desktop…

Maybe I can get over my distaste for systemd and the MATE Ubuntu Way… /sarc;

I love your level of paranoia. People who travel in submarines are paranoid because they are convinced that the world is out to get them……..but are they paranoid enough?

Since it was revealed that my Samsung TV can spy on me, my level of paranoia has increased. Remember George Orwell’s “1984”? If “THEY” can bug everybody’s TV it should be pretty trivial to bug everything in the White House. Maybe that explains why Trump can’t call the prime minister of Australia without a transcript leaking to the NY Times. Will his 17 day absence be sufficient to allow the building to be cleansed?

I love “gparted” which reminds me of “Partition Magic” so you had me baffled with this:

“I find it MUCH easier to just use “GParted” on Debian / Devuan / Other Linux. It is the Graphical Partition manager that lives under “preferences” in the menu of Debian for God Only Knows what reason. IF it isn’t there, do an “apt-get install gparted” to get it.”

I was greatly relieved when you corrected your typo in the comments above.

Not sure if I am disappointed or relieved. ;-) But I am glad we have our best man on the job.

The XU4 has the horse power, maybe more then needed. It’s IO speed is certainly an improvement. over the Pi-3. The Odroid community may too small to optimize the Devuan OS w/ LXDE . This may well be a DIY project to get what you want. Security must be built in from the start not added on later, A
bit of obscurity in the OS may be a feature…pg

Based on nothing but personal bias and observed public news over the decades (I.e. bias and lies) it is my oppinion that under JFK there was a coup fomented by the CIA, carried out by the Mafia (with whom they were known to have closely worked) and with the approval of Johnson.

The motivation was JFK putting us minutes away from nuclear war and likely not taking their “guidance”. RFK being similarly inclined, he got removed when it looked like he was headed to the driver’s seat…

Since then, any “outsider” or “unapproved” candidate has generally been talked into having an insider running mate… so Reagan got, golly, Bush – the old CIA man… (but survived being shot…)

Now, given that background: what on earth would lead anyone to think the White House was not bugged head to toe ever since Kennedy? The only question I would ask is who gets to listen to the intel? Is it the NSA, the CIA, or the Secret Service? Or is the FBI in the loop too?

Remember that the USSR gave a carved wooden something…USA Seal? To one of our embassies. Later a small metal rod was found attached inside. Vibrations were read remotely by radar… an entirely passive “bug”. Most any object can become a bug. Adding all their electronics to the mix would make it near trivial. (For example, the Nuclear Football must be with the President, has communications gear, and is under restricted access so not a lot of random inspection. Similarly, micro bugs can fit in a woman’s ring, so easy to put one in the lapel pin worn by Congress Critters and officials). Unless you walk around with a bug scanning team constantly with full spectrum monitoring, and suspect ALL microwaves (even your WiFi) of activating passive devices, you will never know. Heck, I’m pretty sure the Russian technique would let nails in drywall be read with your home WiFi by a passive listener…sound quality might suck, though, compared to IR or UV laser reading window vibration…

So the ONLY reasonable behavior is to assume constant bugging and just use it to your advantage. Oh, and again, ask who gets the feed…

Now, Obama, lacking any moral compass and surrounded by scoundrels, will have planted true believers (with moderate cover) throughout the TLAs. I’d expect him to be looped in untill Trump has had a few years to ferret them out and lock up the obvious leakers. Don’t know if he will have enough time though. But he ought to start with the advance teams and bug sweep teams that prep his home properties for visits to assure they are not planting things too…

Were I potus, I’d have the White House “renovated” by a trusted team and new furniture brought in… Oh, wait…

I’m a computer tinkerer, so I’m going to try various things. This has the benefit of letting others not go wandering into the muck “exploring”… as I’ve already gone there in my “tall boots” (or occasionally hip waders…)

I can generally find a good use for the less attractive desk top options anyway, so something that blows up on video playing can become a great compile server or execution node for models. Or like when that adventure in very cheap land with the Orange Pi showed how much heat management matters and give me a nice file server with LVM 8 TB of storage and built in web scraping. Just not going to be my daily driver desktop… Boards are like people, each one has something they are good at, you just have to find it.

Now the Odroid is a marvelous bit of hardware. As an Ununtu MATE from the vendor OS build, it is a very nice desktop. I’d recommend it to others for that use. BUT, I’m already committed to the Devuan path for my uses. (Though note I’m running Armbian on the Orange Pi – a straight Debian for ARM chips – as it is low priority to me to work on it). The Pi M3 is “fast enough” as a desktop, painless really to set up, and largely bug free. The only pinch point being when loading “Tips” pages toward the end of the month full of videos… each video spawns a script to load the thing and the Pi starts to struggle. But I can live with that or swap to the tablet to watch videos which I do anyway as my monitor doesn’t do HDMI audio (crummy DVI adapter…).

So that leaves what to do with the XU4.

First off, I’m not even 1/2 way done exploring. This was just a first “find the bottom” step into the creek. As I eventually want a “from sources directly” build, I will likely use it for doing that. Traditional devo build test cycle stuff. I’m also sure other folks will be pushing it too. The hardware is that good, it will get a following. So even if I do nothing, in a year it will likely have a nice Debian on it. As Devuan already supports the XU3, it may well only take some minor Uboot tweek to make it go… and I’ve wanted to learn uboot configuration anyway… Between those paths, I expect to have a nice stable Devuan on it in a year or so. Sooner if a uboot thing.

Right now I’m going to make a Sometimes Desktop Ubuntu chip and see just how hard it is to live with (I.e. how stubborn am I :-) and can I get LXDE going instead of MATE. I’m also going for a “do over” of the Debian install to get a clean build leaving out some of my side tracks… archive that, then try the Devuan In Place upgrade process (that was flawless on the Pi). And maybe next week try to figure out why the Devuan U3 image doesn’t like the U4.

Eventually, either one of those gives me a desktop I like, or the U4 joins the cluster as a monster compute node & USB 3 file server. I need to get a USB 3 hub to add that function, and a GigE switch to use the faster ethernet, whenever the time comes that I need them.

In any of those cases, I’ve also learned that for misc. servers, the Pi M3 is much easier to build with, has more than enough speed, and is my first choice. My next “buy” will likely be 2 of those and another dogbone case… then I can have my Pi B+ DNS server and 3 x Pi M3 boards in one as infrastructure, with occasional distcc compiles shared to the Pi M3 boards (12 cores), and a second stack with the two Pi M2 boards and the Odroid U4 as a cluster of 16 cores of computes for distcc and model experimentation. Ganging both if desired for 28 cores of distcc. But we’ll see. I’m not done exploring this one yet, so a bit early to be buying more :-)

BTW, the maturity and bug level of the user contributed Debian on the U4 are about the same as the Pi M3 in its first year out. Things improve over time….

The images use recent kernels (4.10, 4.6, and such) which causes a specific issue when you try to resize or fsck ext{2,3,4}: they use some ext4 features not yet available in the standard Devuan Jessie e2fsprogs. Because of this, you are advised to install e2fsprogs from jessie-backports if you are in need of using these tools on these images.

So most likely, the disks I’m using have features not matching the other OS due to which kernel each has and which e2fsprogs. Thus my odd disk failure in fsck at boot.

OK, so I need to figure out who is a what and which plays well with others…

Well, I’ve made Ubuntu qasi acceptable. After about 1/2 hour of changing things from Slime Green to neutral and changing contrast from “WTF does that say” to high, and after first boot but BEFORE CONNECTING ANY ETHERNET shutting off ALL the auto-update things I could find, and a few more things. I’s usable. And the browser works…

So now I can actually use the Odroid U4 should I wish to. I’ve mounted the old USB stick that had been my home directory and the system is not complaining about alien disks. IIRC, it was only the User Contributed Debian that complained as Ubuntu has the 4.9 kernel and knows about the newer journals on ext4, but I’m thinking of using the USB stick for a home dir that’s a bit more portable to here. It’s “USB 3.0” so benefits from the faster port too (and doesn’t need a 3.0 hub to power it…)

I’m going to try figuring out how to put LXDE on this system and swap over to it, maybe. Just to have things in the same place on the different systems. And because MATE has this nasty behaviour of blowing up a window to occupy the entire screen if you place it at the upper edge. Since my habit is to have a ‘top’ stuck in the upper right corner and a “root terminal” in the upper left, that regularly gives me “window pop” and I need to carefully undo it… or figure out how to shut it off…

Well, in any case, I can at least run tests on the board… in some degree of comfort.

In addtion to the “always there” account name of “root”, odroid has “odroid” and you must change the password on BOTH of them to something else or you are running wide open exposed. But wait, there’s more…

Ubuntu STILL ships with a default “guest account” where anyone can log in as guest without a password. It doesn’t save anything and nags you to put anything you wish to save on external media, but it lets you wander around on the box. So remember to disable it, too. I don’t know how Ubuntu thinks it ought to be done, I’d normally just put “#” in front of the passwd file entry… but their isn’t one for “guest’ so I get to “go fish” on the internet…

See, it’s stuff like that which makes a Security First guy queasy about what other decisions they made. Places that are not obvious. How much “make it easy” was done that also contributes to “make it open and easy to crack”…

Choosing a base operating system release is a lot about choosing an attitude in the development team. Picking the Team that makes decisions in line with your interests and needs.

Well, I’m logged in, in my own account, closed the biggest open doors, and only spent an hour trying to figure out how to get the worst of the pervasive slime green gone. (Choosing “Traditional” theme seems to kill off the green folder colors)

At this point, the only obvious annoyances / security issues are that it runs SystemD (no way around that without leaving Ubuntu for Devuan, but hidden well enough if you use the GUI system management provided) and that Guest Account. One hopes (“Hope is not a strategy.” -E.M.Smith) that the Guest account has enough limitations on it to not be an exposure, like maybe locked out of remote login…

Other than those two, I’m now comfortable with the look and feel and the general operations of it.

Ubuntu doesn’t expose an easy option to disable this feature. If you poke around the User Accounts configuration tool, where you might expect to find such an option, you won’t find one. To disable it, we’ll have to edit lightdm.conf, which controls the LightDM display manager (login screen)’s settings.

Open LightDM’s configuration file in a text editor by pressing Alt+F2, typing the following command, and pressing Enter:

gksu gedit /etc/lightdm/lightdm.conf

You’ll be prompted to enter your password. After you do, you’ll see the contents of the file.

Add the following line to the end of the file, in the [SeatDefaults] section:

allow-guest=false

Save the file after adding the line.

Oh, obviously…. /sarc;

UPDATE#2:

That file doesn’t exist on this Ubuntu. So something has changed and I need to go fishing again to find where the “OFF” switch is now…

Well, when you are feeling queasy about something, never look at it too closely… I thought maybe Guest was locked down enough and I could just not bother closing it, but just had to do a quick search on “Ubuntu guest exploit”:

Ubuntu 16.10 / 16.04 LTS – LightDM Guest Account Local …
Inj3ct0r is the ultimate database of exploits and vulnerabilities and a great resource for vulnerability researchers and security professionals.

has you go through a bunch of stuff to install a ‘graphical su editor’ and crap. Just skip down to the one magic file edit and as root in the editor of your choice create the file:

/etc/lightdm/lightdm.conf.d/50-no-guest.conf

I did it with

vi /etc/lightdm/lightdm.conf.d/50-no-guest.conf

as all truly experienced sysadmins would do ;-)

and then paste in:

[SeatDefaults]
allow-guest=false

Save, exit, reboot. Bob’s yur Uncle!

NEXT! On to LXDE…

Well, I installed LXDE and lxde-core and it wasn’t enough. Another page said to install lubuntu, so I did that… not enough. It DID give me the choice of an lxde terminal (which like more than the MATE terminal mostly as the colors start out reasonable…) but I can’t get any choice of desktop environment at login from lightdm. Guess I’m going to need some more lightdm config experience…

I did manage to shut off lightdm and get a login prompt, then after login tried starting lxde longhand (as I do on Devuan). No joy. Some errors about Xorg and configurations. Sigh. Have I mentioned lately that I hate X and X configuration?…

Well, OK, I’m 95% “there”. I’ve got the look and feel I like. I’ve gotten guest to die. I’ve got the terminal I use most. Does it REALLY matter that the desktop is sucking down 50% of one core when I’ve got 7 more laying about?

I think I’ll pause on the LXDE thing for a while and come back to it tomorrow…

The Guest Account looks to be a lightdm “feature” and it gets shut off in lightdm. Any logging must be done by lightdm, then. I’m comfortable that I’ve just got it shut down. I suspect it is intended as a kind of “anonymous light’ account so you can specifically dodge logging and all (for those folks not wanting to leave a bunch of information around when looking at internet porn…) and not really intended for “guests”… so the kind of thing a 20-something hacker would want available at work… and not something I want. I’d not expect it to do much logging, since my sense of it is that is antithetical to the real intended use…

Most of the other “problems” I saw were really preferences. Color scheme and such. The only real Problem is getting LXDE to run. Yeah, Xorg and syslogs and such are helpful, but it’s still a PITA digging through them. I’ll eventually get around to it, but not today. Today the sun is rising, it looks to be great outside, and the garden / yard is calling my name. I’m going to get some Sun Time instead of doing log reading… But generally one starts in /var/log

Starting with syslog, then looks like lightdm and Xorg as the most likely to be productive.

Just as a performance note:

Running on the XU4 with FireFox and the system monitor running, rarely does it ever “bounce up” to the set of 4 fast cores. It’s like 99% of the time only using the 4 x slower cores. 1.4 GHz A7. This tells me that the A15 cores are largely irrelevant to the perception of speed on the box. Something with the same I/O speed and only 4 x 1.4 GHz+ A7 cores with 2 GB of memory would 99% of the time feel the same…

I’d thought maybe the screen saver had kicked in but without an image… The “heartbeat” blue LED was blinking, but I had a black screen. Wiggle mouse, nothing. Shift key. Nothing. Return, escape… nothing. Eventually used the power mini-joystick to shut it down (haven’t checked syslog to see if it was a crash or orderly, but believe it was just crashed).

Ok…. turn on a screen saver. Check it with a 1 minute to screen saver. It works. Go back to browsing…

Took a 1/2 hour break for Reuters News (as is usual for them on Saturday, 1/2 of it or more was Friday warmed over, about 1/4 to 1/3 was Trump Bashing…)

Came back to a black screen and unresponsive to mouse or keyboard… blinking blue heartbeat light.

Crashed it again with the power toggle, then used the toggle to start power on reboot.

It’s now up, and fine. But just WT? is doing on with the hang on idle thing?

Well, I can work around it. Just always shut down when walking away for now. PITA, but Oh Well.

And folks wonder why I’m less than fond of Ubuntu… It’s the same as Red Hat promoting systemd. Ubuntu pushes their way (Unity interface as one example) and breaks things that ought not be broken as they have always worked fine in the process. Neither of them seem to get: “If it AIN’T BROKE DON’T FIX IT!!!”

As one side note:

With the look, feel, and esthetics customized more or less, it is a comfortable experience using this system. Just enough faster than the Pi M3 that it feels like a “real PC” experience. I like that. So overall, IFF I can get a real Devuan on the board I’ll be happy. If not, well, good for occasional use with high page weight sites and as a backend compute server to distributed processes… I think I’m going to “dedicate” use of the Ubuntu image to that “generally browsing anywhere” use. I could then see turning on “auto-update” for security updates and using the built in Ubuntu Firewall too. Keep the image in the present state (working, customized, not infested) on disk to reflash the chip as desired. At least for now. It is also a “boot up, run, shut down” use where my Office Desktop is more “boot up and leave up all day and night”… and clearly the Black Death Screen isn’t going to cut it in that use case…

After a long idle time, the “screensaver has left the building” happens as systemd shuts down a bunch of services including my session. Just WHY systemd decided to stop my session is an interesting question for systemd folks. MY answer is just get rid of systemd… but that is for another day…

Postings By Date

Prior Months; postings by date

Meta

To Donate via Paypal or Credit card

Paypal Donation Site.
To make a donation, visit Paypal at the link above and put in the email address pub4all @ aol (DOT) com (leaving out the gratuitous blanks and putting in a "." for (DOT) that is in the text here to defeat spam bots). Many thanks to all!